request a keytab from KDC in other domain

[sunilcnair]

hello all,

i am Sunil C. i have a domain named xx.com  which has a KDC.
i also have a domain co.yy where my server is. there is no KDC in it. 

 users are in xx.com domain.

 but my servers are in (co.yy) domain.

 i had set up a test scenario with a user and a server in domain (xx.com)
 since KDc was setup i got ticket and was able to authenticate well using
 kerberos.

 my issue is that all my production servers are in domain (co.yy) which
 doesnt have a KDC. i want to authenticate and use the server services in
that domain.
 setting up KDC is not feasible in both domains for me.

now i have done some configuration in krb5.conf file on my server
(test.co.yy) 

[domain_realm]
xx.com = XX.COM
.xx.com = XX.COM
co.yy = XX.COM
.co.yy = XX.COM

this shows that my domain co.yy which doesnnot have a KDC , i have mapped it
to the realm XX.COM .

now i have some issues.

1) how can i get a keytab from the KDC of XX.COM ( my server in co.yy)
  is this command correct ?
> ktpass -princ HTTP/test.co.yy at XX.COM

2) can i get a keytab with that command

3) i have heard of CNAME.
 can i create a CNAME for my server like denver.xx.com CNAME test.co.yy ?

if thats possible i can request a keytab like this
 > ktpass -princ HTTP/denver.xx.com at XX.COM

then will it relate to the real host name>  test.co.yy 

please help me with my questions .





-- 
View this message in context: http://www.nabble.com/Issue-with-KDC-tp14370277p14714285.html
Sent from the Kerberos - General mailing list archive at Nabble.com.